If you use RedHat Linux 7.2 or RedHat
Enterprise Linux 2.1 in a server
role there are a number of configuration changes you should make to ensure
the machine is ready for the task at hand.

Disable <Ctrl><Alt><Del>

This seems quite obvious as I have seen many
machines accidentally rebooted with <Ctrl><Alt><Del>, I
have even done it once myself. This a big problem in mixed NT, Linux
environments where on one machine it means "I want to log in"
and on another it means "I want to reboot".

To disable <ctrl><alt><del> you
need to edit /etc/inittab and change these two lines

After editing /etc/inittab
you need to tell init to reload the file# kill -HUP 1

sysctl.conf

There are a number of settings in /etc/sysctl.conf
which need to be checked. If the machine will be forwarding IPv4
packets then you need to enable

net.ipv4.ip_forward = 1

For servers I recommend

kernel.sysrq = 1

to enable the magic SysRq key, and

net.ipv4.icmp_echo_ignore_broadcasts = 1

to prevent the machine from responding to broadcast
pings. This can be used as a form of DOS so it is best to disable
it.

Depending on the kind of work your server will be
doing, you might need to increase the maximum number of open files and
inodes. (Under 2.4 is seems that fs.inode-max is automatic but under
2.2 you will need to increase it)

fs.file-max = 16384
#fs.inode-max = 65536

After editing /etc/sysctl you will need to rerun
sysctl to apply your changes

# /sbin/sysctl -p

Console security

Be default, RedHat linux will grant special privileges
to any user who logs in on the console. This allows users to do
things such as use the attached audio devices and start the X
server. There are however some bad things which this allows, such as
halting and rebooting the machine. To prevent this you need to edit
the pam configuration for some usermode applications.

In /etc/pam.d
you will find files called halt,
reboot and poweroff.
Edit each of these files and comment out the following line

#auth required /lib/security/pam_console.so

This change will take effect immediately you save
the file. You might want to consider removing the usermode RPM but
there are a number of dependencies on this package and most of the tools
are either useful or harmless as they require a root password.

Keeping logs

By default, your logs will be kept for 4
weeks. I like to increate this to 104 weeks or 2 years. This
obviously can be adjusted to balance disk space and logging needs. I
would however recommend 52 weeks as a minimum.

To change the time your logs are kept for, edit /etc/logrotate.conf
and change the rotate
parameter. You can also override this for specific logs by editing
the files in /etc/log/logrotate.d/.
For more details see the logrotate man page.

If you have more that one Linux/Unix server then you
should probably set one machine up as a log server and send all your logs
to a central machine as well as storing them locally. This makes is
easier to process your logs and means you have a second copy should a
machine have it's security compromised.

To make a server accept log messages from other
machines you need to enable syslog remote reception. This can be
done by editing /etc/sysconfig/syslog
and adding "-r"
to the SYSLOGD_OPTIONS
so it looks like this

SYSLOGD_OPTIONS="-m 0 -r"

Then restart syslog by doing

# /etc/rc.d/init.d/syslog restart

You should see a message in the log files about
remote reception

To make a machine send it's log messages to your log
server you need to add an entry to /etc/syslog.conf.
Something like

*.info @loghost

should be all that is needed. See the man page
for more details (man 5 syslog.conf)

You also need to restart syslog after this
change. The procedure is the same as above.

Restricting Access

Using tcp wrappers is restrict access is simple to
set up. Most services are already configured to use tcp
wrappers. The most secure way to configure tcpwrappers is to deny
everything be default.

/etc/hosts.deny
should contain only the line

ALL: ALL

Then you can add services to /etc/hosts.allow
as appropriate. For example

You do not need to restart anything after changing
these files. They are reread every time a connection is made.

Password Policy

Changing the password policy is not strictly
necessary as by default a minimum length of 6 characters is
required. There is however very little documentation on changing the
policies so here is my suggestion. The following is specified in the
The PAM
System Administrators' Guide but is not very obvious.

Enabling a password history

1. Create the old password file with the command# touch /etc/security/opasswd

2. Edit /etc/pam.d/system-auth
and add the following pam_unix parameter "remember=3".

Cracklib will automatically check /etc/security/opasswd
and will not allow any of the passwords listed
to be used again. This means that you must have pam_cracklib stacked
before your pam_unix module (which is the default).